M365 Glossary

Remove-MgApplicationOwnerByRef

What is Remove-MgApplicationOwnerByRef?

Remove-MgApplicationOwnerByRef is a Microsoft Graph PowerShell cmdlet used to remove one or more owners from an application registration in Microsoft Entra ID (Azure AD). Owners are users or service principals who manage the app. This cmdlet deletes the owner reference from the application object without affecting the owner account itself.

In plain terms: it unassigns someone as an app owner.

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

📥 Get it on GitHub ℹ️ Know More

Why Use Remove-MgApplicationOwnerByRef?

This cmdlet is helpful when you want to keep application ownership clean and compliant, especially at scale. Common reasons include:

Security cleanup: Remove outdated or unauthorized owners from sensitive apps.
Governance & audits: Ensure every app has the right owners and no excess privileges.
Role changes: Automatically remove owners when people move teams or leave.
Bulk management: Handle ownership changes across many apps without manual portal work.
Automation friendly: Works well in scripts for periodic ownership reviews.

Prerequisites

Before using Remove-MgApplicationOwnerByRef, make sure:

You have the Microsoft Graph PowerShell module installed.
You are connected to Graph with the correct permissions.

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Application.ReadWrite.All"

You’ll typically need roles like Application Administrator, Cloud Application Administrator, or Global Administrator.

How to use Remove-MgApplicationOwnerByRef?

You must provide:

ApplicationId (Object ID of the app)
DirectoryObjectId (Object ID of the owner to remove)

Basic syntax:

Remove-MgApplicationOwnerByRef -ApplicationId <String> -DirectoryObjectId <String> [-Confirm]

Remove-MgApplicationOwnerByRef Examples

Example 1: Single Owner Removal

To remove a single owner from an application, use the following command:

$applicationId = "12345678-abcd-1234-abcd-1234567890ab"
$ownerId = "87654321-dcba-4321-dcba-0987654321ba"
Remove-MgApplicationOwnerByRef -ApplicationId $applicationId -DirectoryObjectId $ownerId

Example 2: Bulk Owner Removal

If you need to remove multiple owners, you can loop through a list of owner IDs:

$applicationId = "12345678-abcd-1234-abcd-1234567890ab"
$ownerIds = @("87654321-dcba-4321-dcba-0987654321ba", "23456789-abcd-1234-abcd-1234567890cd")
foreach ($ownerId in $ownerIds) {
    Remove-MgApplicationOwnerByRef -ApplicationId $applicationId -DirectoryObjectId $ownerId
}

This script loops through the array of owner IDs and removes each one from the specified application.

Example 3: Removal with Confirmation Prompt

You can use the -Confirm parameter to prompt for confirmation before removing the owner:

$applicationId = "12345678-abcd-1234-abcd-1234567890ab"
$ownerId = "87654321-dcba-4321-dcba-0987654321ba"
Remove-MgApplicationOwnerByRef -ApplicationId $applicationId -DirectoryObjectId $ownerId -Confirm

This command will prompt you to confirm the removal action before proceeding.

Summary

Key Point	Details
Cmdlet Name	Remove-MgApplicationOwnerByRef
Purpose	Removes an owner reference from an Entra ID application
Required Scope	Application.ReadWrite.All
Primary Parameters	ApplicationId, DirectoryObjectId
Automation Benefit	Enables fast, repeatable app-ownership cleanup
Use Case	Governance audits, offboarding, privilege reduction

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.